pam-krb5 3.10 released
Russ Allbery
rra at stanford.edu
Sat Jan 19 15:22:23 EST 2008
"Markus Moeller" <huaraz at moeller.plus.com> writes:
> I usually don't use the change password feature, but I now checked the
> pam help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux and
> Solaris it states that only pam_acct_mgmt should return
> PAM_NEW_AUTHTOK_REQD for exired passwords not pam_sm_authenticate. I
> haven't yet checked the Openssh and others sources, but I think you need
> to save the state you get inpam_sm_authenticate and use it in
> pam_sm_acct_mgmt.
Yeah, this is how the documentation claims that PAM should work, but it
doesn't actually work this way and most applications don't expect it to
work this way. In practice, pam-krb5 will usually not return
PAM_NEW_AUTHTOK_REQD anyway since the Kerberos library will handle the
password change immediately.
Currently, the module somewhat intentionally doesn't support the way in
which password changes supposedly work since I've never seen any software
that needed that behavior, but I suppose it could be added.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list